It is currently Tue Nov 21, 2017 11:19 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: L2TP/IPSEC + OPENSWAN + X509 + NAT problem
PostPosted: Thu Oct 15, 2009 1:00 pm 

Joined: Thu Oct 15, 2009 12:42 pm
Posts: 4
hello, i have a problem with connection l2tp/ipsec with openswan
my environment

NOTEBOOK(192.168.1.5) --> (192.168.1.1) NAT-DEVICE -> (91.78.44.185) ---> INTERNET --> 83.102.xxx.xxx (L2TP/IPSEC SERVER)


my configuration openswan:
Code:
# cat /etc/ipsec.d/L2TP.conf
conn L2TP
        authby=rsasig
        pfs=no
        rekey=no
        keyingtries=3
   type=transport
        left=83.102.xxx.xxx
        leftprotoport=17/1701
   leftcert=server.pem
   leftrsasigkey=%cert
   
   right=%any
        rightprotoport=17/1701
        rightrsasigkey=%cert
        auto=add

conn L2TP-NAT
        authby=rsasig
        pfs=no
        rekey=no
        keyingtries=3
   type=transport
        left=83.102.xxx.xxx
        leftprotoport=17/1701
   leftcert=server.pem
   leftrsasigkey=%cert
   
   right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        rightrsasigkey=%cert
        auto=add


Code:
# cat /etc/openl2tpd.conf
ppp profile modify profile_name=default


Openswan IPSec connection established with NAT feature detected:
Code:
Oct 15 11:25:43 apolo pluto[15258]: "LTP-NAT"[1] 91.78.44.185 #6: responding to Quick Mode proposal {msgid:5723061b}
Oct 15 11:25:43 apolo pluto[15258]: "LTP-NAT"[1] 91.78.44.185 #6:     us: 83.102.xxx.xxx<83.102.xxx.xxx>[+S=C]:17/1701
Oct 15 11:25:43 apolo pluto[15258]: "LTP-NAT"[1] 91.78.44.185 #6:   them: 91.78.44.185[C=RU, ST=MOSCOW, L=MOSCOW, O=ECOTECH, CN=client5,+S=C]:17/1701===192.168.1.5/32
Oct 15 11:25:43 apolo pluto[15258]: "LTP-NAT"[1] 91.78.44.185 #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 15 11:25:43 apolo pluto[15258]: "LTP-NAT"[1] 91.78.44.185 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 15 11:25:43 apolo pluto[15258]: "LTP-NAT"[1] 91.78.44.185 #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 15 11:25:43 apolo pluto[15258]: "LTP-NAT"[1] 91.78.44.185 #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x28032b15 <0x161310cf xfrm=3DES_0-HMAC_MD5 NATOA=192.168.1.5 NATD=91.78.44.185:4500 DPD=none}



but openl2tp can't establish connection at all :
Code:
# openl2tpd -f -D
Loading plugin ppp_unix.so, version V0.18
Start, trace_flags=00000000 (debug enabled)
OpenL2TP V0.19, (c) Copyright 2004,2005,2006,2007 Katalix Systems Ltd.
Using config file: /etc/openl2tpd.conf
FUNC: tunl 17767: allocated context using profile 'default', created by network request
XPRT: RX: tunl 17767/0: len=101 ns/nr=0/0, our ns/nr=0/0, peer ns/nr=0/0
XPRT: tunl 17767: peer ns/nr is 0/0
DATA: RX: tunl 17767/0: rcv 101 bytes from peer 91.78.44.185, packet ns/nr 0/0 type 0
XPRT: tunl 17767: update nr from 0 to 1
AVP: tunl 17767: SCCRQ message decode of 81 bytes started
AVPDATA: PROTOCOL_VERSION: ver=1 rev=0
AVPDATA: FRAMING_CAP: cap=1
AVPDATA: BEARER_CAP: cap=0
AVPDATA: FIRMWARE_VERSION: revision=1280
AVPDATA: HOST_NAME: name=notebook
AVPDATA: VENDOR_NAME: name=Microsoft
AVPDATA: TUNNEL_ID: id=19
AVPDATA: RX_WINDOW_SIZE: size=8
PROTO: tunl 17767: SCCRQ received from peer 19
FSM: CCE(17767) event SCCRQ_ACCEPT in state IDLE
PROTO: tunl 17767: adjust tx_window_size: peer=8, ours=10
AVP: tunl 17767: building SCCRP message, 9 AVPs
PROTO: tunl 17767: sending SCCRP to peer 19
XPRT: tunl 17767: queuing tx packet, type 2, len 151, ns/nr 0/1
XPRT: tunl 17767: update ns to 1
XPRT: tunl 17767: adding packet to ackq, type 2, len 151, ns/nr 0/1
DATA: TX: tunl 17767/0: send 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 0
FSM: CCE(17767) state change: IDLE --> WAITCTLCONN
XPRT: tunl 17767: send zlb ack, ns/nr=1/1
FUNC: tunl 9158: allocated context using profile 'default', created by network request
XPRT: RX: tunl 9158/0: len=101 ns/nr=0/0, our ns/nr=0/0, peer ns/nr=0/0
XPRT: tunl 9158: peer ns/nr is 0/0
DATA: RX: tunl 9158/0: rcv 101 bytes from peer 91.78.44.185, packet ns/nr 0/0 type 0
XPRT: tunl 9158: update nr from 0 to 1
AVP: tunl 9158: SCCRQ message decode of 81 bytes started
AVPDATA: PROTOCOL_VERSION: ver=1 rev=0
AVPDATA: FRAMING_CAP: cap=1
AVPDATA: BEARER_CAP: cap=0
AVPDATA: FIRMWARE_VERSION: revision=1280
AVPDATA: HOST_NAME: name=notebook
AVPDATA: VENDOR_NAME: name=Microsoft
AVPDATA: TUNNEL_ID: id=19
AVPDATA: RX_WINDOW_SIZE: size=8
PROTO: tunl 9158: SCCRQ received from peer 19
FSM: CCE(9158) event SCCRQ_ACCEPT in state IDLE
PROTO: tunl 9158: adjust tx_window_size: peer=8, ours=10
AVP: tunl 9158: building SCCRP message, 9 AVPs
PROTO: tunl 9158: sending SCCRP to peer 19
XPRT: tunl 9158: queuing tx packet, type 2, len 151, ns/nr 0/1
XPRT: tunl 9158: update ns to 1
XPRT: tunl 9158: adding packet to ackq, type 2, len 151, ns/nr 0/1
DATA: TX: tunl 9158/0: send 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 0
FSM: CCE(9158) state change: IDLE --> WAITCTLCONN
XPRT: tunl 17767: set retry interval to 2
XPRT: tunl 9158: send zlb ack, ns/nr=1/1
XPRT: tunl 9158: set retry interval to 2
XPRT: tunl 17767: set retry interval to 4
DATA: TX: tunl 17767/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 1
FUNC: tunl 39017: allocated context using profile 'default', created by network request
XPRT: RX: tunl 39017/0: len=101 ns/nr=0/0, our ns/nr=0/0, peer ns/nr=0/0
XPRT: tunl 39017: peer ns/nr is 0/0
DATA: RX: tunl 39017/0: rcv 101 bytes from peer 91.78.44.185, packet ns/nr 0/0 type 0
XPRT: tunl 39017: update nr from 0 to 1
AVP: tunl 39017: SCCRQ message decode of 81 bytes started
AVPDATA: PROTOCOL_VERSION: ver=1 rev=0
AVPDATA: FRAMING_CAP: cap=1
AVPDATA: BEARER_CAP: cap=0
AVPDATA: FIRMWARE_VERSION: revision=1280
AVPDATA: HOST_NAME: name=notebook
AVPDATA: VENDOR_NAME: name=Microsoft
AVPDATA: TUNNEL_ID: id=19
AVPDATA: RX_WINDOW_SIZE: size=8
PROTO: tunl 39017: SCCRQ received from peer 19
FSM: CCE(39017) event SCCRQ_ACCEPT in state IDLE
PROTO: tunl 39017: adjust tx_window_size: peer=8, ours=10
AVP: tunl 39017: building SCCRP message, 9 AVPs
PROTO: tunl 39017: sending SCCRP to peer 19
XPRT: tunl 39017: queuing tx packet, type 2, len 151, ns/nr 0/1
XPRT: tunl 39017: update ns to 1
XPRT: tunl 39017: adding packet to ackq, type 2, len 151, ns/nr 0/1
DATA: TX: tunl 39017/0: send 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 0
FSM: CCE(39017) state change: IDLE --> WAITCTLCONN
XPRT: tunl 9158: set retry interval to 4
DATA: TX: tunl 9158/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 1
XPRT: tunl 17767: set retry interval to 8
DATA: TX: tunl 17767/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 2
XPRT: tunl 39017: send zlb ack, ns/nr=1/1
DATA: TX: tunl 17767/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 3
XPRT: tunl 39017: set retry interval to 2
XPRT: tunl 9158: set retry interval to 8
DATA: TX: tunl 9158/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 2
DATA: TX: tunl 17767/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 4
XPRT: tunl 39017: set retry interval to 4
DATA: TX: tunl 39017/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 1
DATA: TX: tunl 9158/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 3
FUNC: tunl 18547: allocated context using profile 'default', created by network request
XPRT: RX: tunl 18547/0: len=101 ns/nr=0/0, our ns/nr=0/0, peer ns/nr=0/0
XPRT: tunl 18547: peer ns/nr is 0/0



looks like openl2tpd won't to talk with client inside IPSEC tunnel or smth

i trying play with -p ipsec.so but no success.

in README file for ipsec.so talk about NAT clients needs some special support provided by patches for ipsec-tools, racoon and kernel ...

but there no racoon at all. openswan doing all dirty work.

any solutions ?



PS: setkey -DP at the moment of Openswan UP IPSEC
Code:
10.128.223.85[any] 83.102.xxx.xxx[any] udp
   in prio high + 1073739744 ipsec
   esp/transport//unique#16537
   created: Oct 15 17:15:32 2009  lastused:                     
   lifetime: 0(s) validtime: 0(s)
   spid=38136 seq=29 pid=16960
   refcnt=1
83.102.xxx.xxx[any] 10.128.223.85[any] udp
   out prio high + 1073739744 ipsec
   esp/transport//unique#16537
   created: Oct 15 17:15:32 2009  lastused:                     
   lifetime: 0(s) validtime: 0(s)
   spid=38145 seq=26 pid=16960
   refcnt=1



PPS: same log with -p ipsec.so
Code:
# openl2tpd -f -D -p ipsec.so
Loading plugin ipsec.so, version V0.2
L2TP/IPSec ephemeral port support enabled.
Loading plugin ppp_unix.so, version V0.18
Start, trace_flags=00000000 (debug enabled)
OpenL2TP V0.19, (c) Copyright 2004,2005,2006,2007 Katalix Systems Ltd.
Using config file: /etc/openl2tpd.conf
FUNC: tunl 17767: allocated context using profile 'default', created by network request
tunl 17767: setting up ipsec SPD entry for 5366ed2c/48895 - bca218b8/1701
XPRT: RX: tunl 17767/0: len=102 ns/nr=0/0, our ns/nr=0/0, peer ns/nr=0/0
XPRT: tunl 17767: peer ns/nr is 0/0
DATA: RX: tunl 17767/0: rcv 102 bytes from peer 91.78.44.185, packet ns/nr 0/0 type 0
XPRT: tunl 17767: update nr from 0 to 1
AVP: tunl 17767: SCCRQ message decode of 82 bytes started
AVPDATA: PROTOCOL_VERSION: ver=1 rev=0
AVPDATA: FRAMING_CAP: cap=1
AVPDATA: BEARER_CAP: cap=0
AVPDATA: FIRMWARE_VERSION: revision=1280
AVPDATA: HOST_NAME: name=maxim-vm2
AVPDATA: VENDOR_NAME: name=Microsoft
AVPDATA: TUNNEL_ID: id=6
AVPDATA: RX_WINDOW_SIZE: size=8
PROTO: tunl 17767: SCCRQ received from peer 6
FSM: CCE(17767) event SCCRQ_ACCEPT in state IDLE
PROTO: tunl 17767: adjust tx_window_size: peer=8, ours=10
AVP: tunl 17767: building SCCRP message, 9 AVPs
PROTO: tunl 17767: sending SCCRP to peer 6
XPRT: tunl 17767: queuing tx packet, type 2, len 151, ns/nr 0/1
XPRT: tunl 17767: update ns to 1
XPRT: tunl 17767: adding packet to ackq, type 2, len 151, ns/nr 0/1
DATA: TX: tunl 17767/0: send 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 0
FSM: CCE(17767) state change: IDLE --> WAITCTLCONN
FUNC: tunl 9158: allocated context using profile 'default', created by network request
tunl 9158: setting up ipsec SPD entry for 5366ed2c/51526 - bca218b8/1701
XPRT: RX: tunl 9158/0: len=102 ns/nr=0/0, our ns/nr=0/0, peer ns/nr=0/0
XPRT: tunl 9158: peer ns/nr is 0/0
DATA: RX: tunl 9158/0: rcv 102 bytes from peer 91.78.44.185, packet ns/nr 0/0 type 0
XPRT: tunl 9158: update nr from 0 to 1
AVP: tunl 9158: SCCRQ message decode of 82 bytes started
AVPDATA: PROTOCOL_VERSION: ver=1 rev=0
AVPDATA: FRAMING_CAP: cap=1
AVPDATA: BEARER_CAP: cap=0
AVPDATA: FIRMWARE_VERSION: revision=1280
AVPDATA: HOST_NAME: name=maxim-vm2
AVPDATA: VENDOR_NAME: name=Microsoft
AVPDATA: TUNNEL_ID: id=6
AVPDATA: RX_WINDOW_SIZE: size=8
PROTO: tunl 9158: SCCRQ received from peer 6
FSM: CCE(9158) event SCCRQ_ACCEPT in state IDLE
PROTO: tunl 9158: adjust tx_window_size: peer=8, ours=10
AVP: tunl 9158: building SCCRP message, 9 AVPs
PROTO: tunl 9158: sending SCCRP to peer 6
XPRT: tunl 9158: queuing tx packet, type 2, len 151, ns/nr 0/1
XPRT: tunl 9158: update ns to 1
XPRT: tunl 9158: adding packet to ackq, type 2, len 151, ns/nr 0/1
DATA: TX: tunl 9158/0: send 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 0
FSM: CCE(9158) state change: IDLE --> WAITCTLCONN
XPRT: tunl 17767: set retry interval to 2
XPRT: tunl 17767: send zlb ack, ns/nr=1/1
XPRT: tunl 17767: set retry interval to 4
DATA: TX: tunl 17767/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 1
XPRT: tunl 9158: set retry interval to 2
XPRT: tunl 9158: send zlb ack, ns/nr=1/1
FUNC: tunl 39017: allocated context using profile 'default', created by network request
tunl 39017: setting up ipsec SPD entry for 5366ed2c/60065 - bca218b8/1701
XPRT: RX: tunl 39017/0: len=102 ns/nr=0/0, our ns/nr=0/0, peer ns/nr=0/0
XPRT: tunl 39017: peer ns/nr is 0/0
DATA: RX: tunl 39017/0: rcv 102 bytes from peer 91.78.44.185, packet ns/nr 0/0 type 0
XPRT: tunl 39017: update nr from 0 to 1
AVP: tunl 39017: SCCRQ message decode of 82 bytes started
AVPDATA: PROTOCOL_VERSION: ver=1 rev=0
AVPDATA: FRAMING_CAP: cap=1
AVPDATA: BEARER_CAP: cap=0
AVPDATA: FIRMWARE_VERSION: revision=1280
AVPDATA: HOST_NAME: name=maxim-vm2
AVPDATA: VENDOR_NAME: name=Microsoft
AVPDATA: TUNNEL_ID: id=6
AVPDATA: RX_WINDOW_SIZE: size=8
PROTO: tunl 39017: SCCRQ received from peer 6
FSM: CCE(39017) event SCCRQ_ACCEPT in state IDLE
PROTO: tunl 39017: adjust tx_window_size: peer=8, ours=10
AVP: tunl 39017: building SCCRP message, 9 AVPs
PROTO: tunl 39017: sending SCCRP to peer 6
XPRT: tunl 39017: queuing tx packet, type 2, len 151, ns/nr 0/1
XPRT: tunl 39017: update ns to 1
XPRT: tunl 39017: adding packet to ackq, type 2, len 151, ns/nr 0/1
DATA: TX: tunl 39017/0: send 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 0
FSM: CCE(39017) state change: IDLE --> WAITCTLCONN
XPRT: tunl 17767: set retry interval to 8
DATA: TX: tunl 17767/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 2
XPRT: tunl 9158: set retry interval to 4
DATA: TX: tunl 9158/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 1
XPRT: tunl 39017: set retry interval to 2
XPRT: tunl 39017: send zlb ack, ns/nr=1/1
XPRT: tunl 39017: set retry interval to 4
DATA: TX: tunl 39017/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 1
DATA: TX: tunl 17767/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 3
XPRT: tunl 9158: set retry interval to 8
DATA: TX: tunl 9158/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 2
XPRT: tunl 39017: set retry interval to 8
DATA: TX: tunl 39017/0: resend 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 2
Exiting
Cleaning up before exiting
tunl 39017: free when use_count=1
tunl 9158: free when use_count=1
tunl 17767: free when use_count=1
Unloading plugin /usr/lib/openl2tp/ppp_unix.so
Unloading plugin /usr/lib/openl2tp/ipsec.so
The result of line 1: No entry.
The result of line 1: No entry.
The result of line 1: No entry.


Top
 Profile  
 
 Post subject: Re: L2TP/IPSEC + OPENSWAN + X509 + NAT problem
PostPosted: Thu Oct 15, 2009 3:07 pm 

Joined: Thu Oct 15, 2009 12:42 pm
Posts: 4
tcpdump (without -p ipsec.so):

Code:
tcpdump host 91.78.44.185 -i eth2 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
17:53:43.464629 IP 91.78.44.185.41344 > 83.102.xxx.xxx.500: isakmp: phase 1 I ident
17:53:43.464936 IP 83.102.xxx.xxx.500 > 91.78.44.185.41344: isakmp: phase 1 R ident
17:53:43.824161 IP 91.78.44.185.41344 > 83.102.xxx.xxx.500: isakmp: phase 1 I ident
17:53:43.831180 IP 83.102.xxx.xxx.500 > 91.78.44.185.41344: isakmp: phase 1 R ident
17:53:44.024794 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 1 I ident[E]
17:53:44.028335 IP 83.102.xxx.xxx.4500 > 91.78.44.185.18399: NONESP-encap: isakmp: phase 1 R ident[E]
17:53:44.189198 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
17:53:44.221260 IP 83.102.xxx.xxx.4500 > 91.78.44.185.18399: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
17:53:44.518757 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
17:53:44.524005 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0x50e66811,seq=0x1), length 140
17:53:44.524970 IP 83.102.xxx.xxx.1701 > 91.78.44.185.1701:  l2tp:[TLS](17/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) |...
17:53:45.163737 IP 83.102.xxx.xxx.1701 > 91.78.44.185.1701:  l2tp:[TLS](17/0)Ns=1,Nr=1 ZLB
17:53:45.318791 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0x50e66811,seq=0x2), length 140
17:53:46.913775 IP 83.102.xxx.xxx.1701 > 91.78.44.185.1701:  l2tp:[TLS](17/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) |...
17:53:47.328871 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0x50e66811,seq=0x3), length 140
17:53:47.923775 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: isakmp-nat-keep-alive
17:53:48.163788 IP 83.102.xxx.xxx.1701 > 91.78.44.185.1701:  l2tp:[TLS](17/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) |...
17:53:49.412796 IP 83.102.xxx.xxx.1701 > 91.78.44.185.1701:  l2tp:[TLS](17/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) |...
17:53:50.662814 IP 83.102.xxx.xxx.1701 > 91.78.44.185.1701:  l2tp:[TLS](17/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) |...
17:53:51.389008 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0x50e66811,seq=0x4), length 140
17:53:51.912832 IP 83.102.xxx.xxx.1701 > 91.78.44.185.1701:  l2tp:[TLS](17/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) |...
17:53:59.344378 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0x50e66811,seq=0x5), length 140
17:54:04.538854 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
17:54:04.538862 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
17:54:04.539086 IP 83.102.xxx.xxx.4500 > 91.78.44.185.18399: NONESP-encap: isakmp: phase 2/others R inf[E]
17:54:04.555660 IP 83.102.xxx.xxx.4500 > 91.78.44.185.18399: NONESP-encap: isakmp: phase 2/others R inf[E]
17:54:07.933878 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: isakmp-nat-keep-alive



tcpdump (with -p ipsec.so):
Code:
17:54:27.909003 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: isakmp-nat-keep-alive
17:54:29.184260 IP 91.78.44.185.41344 > 83.102.xxx.xxx.500: isakmp: phase 1 I ident
17:54:29.184500 IP 83.102.xxx.xxx.500 > 91.78.44.185.41344: isakmp: phase 1 R ident
17:54:29.479338 IP 91.78.44.185.41344 > 83.102.xxx.xxx.500: isakmp: phase 1 I ident
17:54:29.486317 IP 83.102.xxx.xxx.500 > 91.78.44.185.41344: isakmp: phase 1 R ident
17:54:29.930076 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 1 I ident[E]
17:54:29.933583 IP 83.102.xxx.xxx.4500 > 91.78.44.185.18399: NONESP-encap: isakmp: phase 1 R ident[E]
17:54:30.128961 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
17:54:30.129813 IP 83.102.xxx.xxx.4500 > 91.78.44.185.18399: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
17:54:30.354079 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
17:54:30.379316 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0xb156a623,seq=0x1), length 140
17:54:31.314270 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0xb156a623,seq=0x2), length 140
17:54:33.304612 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0xb156a623,seq=0x3), length 140
17:54:37.279299 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0xb156a623,seq=0x4), length 140
17:54:45.243914 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0xb156a623,seq=0x5), length 140
17:54:47.938845 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: isakmp-nat-keep-alive
17:54:55.259086 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0xb156a623,seq=0x6), length 140
17:55:05.258765 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
17:55:05.259029 IP 83.102.xxx.xxx.4500 > 91.78.44.185.18399: NONESP-encap: isakmp: phase 2/others R inf[E]
17:55:05.263761 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
17:55:05.282525 IP 83.102.xxx.xxx.4500 > 91.78.44.185.18399: NONESP-encap: isakmp: phase 2/others R inf[E]
17:55:07.923714 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: isakmp-nat-keep-alive



looks like -p ipsec.so make all traffic to l2tp going inside ipsec tunel, but with wrong destination or smth...

openl2tpd out:
Code:
openl2tpd -f -D -p ipsec.so
Loading plugin ipsec.so, version V0.2
L2TP/IPSec ephemeral port support enabled.
...
tunl 17767: setting up ipsec SPD entry for 5366ed2c/1701 - bca212d6/1701
DATA: RX: tunl 17767/0: rcv 102 bytes from peer 91.78.44.185, packet ns/nr 0/0 type 0
...
PROTO: tunl 17767: SCCRQ received from peer 18
...
DATA: TX: tunl 17767/0: send 151 bytes to peer 91.78.44.185, packet ns/nr 0/1 type 2, retry 0
FSM: CCE(17767) state change: IDLE --> WAITCTLCONN
XPRT: tunl 17767: set retry interval to 2
....

looks like openl2tpd misunderstood or smth wrong with source/destination inside tunnel through NAT device.

Code:
# setkey -DP
10.128.223.85[any] 83.102.xxx.xxx[any] udp
83.102.xxx.xxx[any] 10.128.223.85[any] udp


Top
 Profile  
 
 Post subject: Re: L2TP/IPSEC + OPENSWAN + X509 + NAT problem
PostPosted: Thu Oct 15, 2009 3:20 pm 

Joined: Thu Oct 15, 2009 12:42 pm
Posts: 4
Quote:
The OpenL2TP ipsec.so plugin causes OpenL2TP to insert and remove rules dynamically as tunnels are set up and torn down. To enable this feature, simply use the -p option when starting openl2tpd, i.e.

openl2tpd -p ipsec.so



tunl 17767: setting up ipsec SPD entry for 5366ed2c/1701 - bca212d6/1701
mean openl2tpd create SPD entry for
83.102.xxx.xxx/1701 < -- > 91.78.44.185/1701

but openswan create SPD for NAT-T:
10.128.223.85 <-- > 83.102.xxx.xxx


damn... this is too hard ;) ... please help


Top
 Profile  
 
 Post subject: Re: L2TP/IPSEC + OPENSWAN + X509 + NAT problem
PostPosted: Thu Oct 15, 2009 4:13 pm 

Joined: Thu Oct 15, 2009 12:42 pm
Posts: 4
last news:

analyzing traffic dumps, i localize problem:
Code:
1. 17:53:44.524005 IP 91.78.44.185.18399 > 83.102.xxx.xxx.4500: UDP-encap: ESP(spi=0x50e66811,seq=0x1), length 140
2. 17:53:44.524970 IP 83.102.xxx.xxx.1701 > 91.78.44.185.1701:  l2tp:[TLS](17/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP(AD) |...


windows client send request inside tunnel - line 1.
openl2tp answer outside tunnel - line 2.

looks like because openswan follow NAT-T and create SPD -
10.128.223.85[any] 83.102.xxx.xxx[any] udp
83.102.xxx.xxx[any] 10.128.223.85[any] udp

and traffic from 83.102.xxx.xxx to 91.78.44.185 not going to IPSEC tunnel


if enable "-p ipsec.so" -> all traffic from openl2tp to client just disappear ..


hm.. this guys have same problem with l2tpd daemon .. there no solution
http://www.mail-archive.com/l2tpd-devel ... 01028.html


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group